Many argue that conducting business in the cloud poses many risks to law firms and attorneys; nothing could be further from the truth. Chances are, unless you have a large in-house IT department supporting several hundred or more attorneys, the use of reputable cloud services will significantly decrease ethical risks. The adoption of new technology, and especially cloud services, can significantly decrease an attorney’s risk of breaching its ethical duties.
The first question raised in almost any discussion about technology in the field of law deals with client confidences. RPC 1.6, Confidentiality of Information, imposes a duty on attorneys to protect and ensure the privacy of their clients’ information and confidences:
(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation[,] or the disclosure is permitted by paragraph (b).
RPC 1.6(a) Confidentiality of Information. However, this duty is not absolute, and it must be read in the context of RPC 1.1, The Duty of Competence. RCP 1.1 requires attorneys to provide competent representation as follows:
A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.
RPC 1.1 Competence. The ever evolving standard of “competence” is subject to change as times and technology progress and advance. As stated by David G. Ries in Law Practice Today, the duty of competence includes an attorney’s use of technology, and “It requires attorneys who lack the necessary technical competence for security (many, if not most attorneys) to consult with qualified people who have the requisite expertise.” David G. Ries, Cybersecurity for Attorneys: Understanding the Ethical Obligations, Law Practice Today, http://www.americanbar.org/publications/law_practice_today_home/law_practice_today_archive/march12/cyber-security-for-attorneys-understanding-the-ethical-obligations.html. However, throughout modern history, the gold standard for attorney competence hasn’t changed: reasonableness. An attorney acting reasonably under the circumstances is typically acting competently.
Read together, RPC 1.6(a) and RPC 1.1 require that an attorney competently protect client confidences. As one commentator observed: “The requirement for lawyers is reasonable security, not absolute security.” Id. The comments to RPC 1.6 confirm this:
[16] A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3.
[17] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.
RPC 1.6, Cmt. 16-17 (emphasis added). Various state bar ethical opinions similarly address the competence required to avoid the exposure of client information to third parties. For example, the State Bar of Arizona requires that an attorney take “competent and reasonable steps” to avoid the disclosure (accidental disclosure or through theft) and destruction of client confidences and electronic information. See id.; State Bar of Arizona, Opinion No. 05-04 (July 2005) (Formal Opinion of the Committee on the Rules of Professional Conduct). Absolute security is an impossible standard to uphold, but attorneys should be aware of their ethical duty to protect information and that they will be held to a standard that would be deemed reasonable by others in practice.
This begs the question: In an age of specialization, where most attorneys cannot reasonably understand and manage rapidly emerging technologies, how do attorneys remain competent?
Some will argue that, to be safe, a lawyer must comply with HIPPA, PCI, or other heightened electronic data security standards. However, the evolution of electronic storage and communication has not brought on a heightened standard of security. Unless the data itself comes within the express coverage of HIPPA, PCI, or similar standards, (which it typically does not,) then the attorney who fails to comply with those standards is acting competently, so long as he is acting reasonably. For example, although HIPPA may require the transmission of information via encrypted emails, the American Bar Association has recognized that an attorney may generally transmit information relating to client representation by unencrypted emails over the internet. See ABA Op. 11-459 (2011) (“Duty to Protect the Confidentiality of E-mail Communications with One’s Client”); ABA Op. 99-413 (1999) (“Protecting the Confidentiality of Unencrypted E-Mail”); WSBA Adv. Op. 2175 (2008) (“Email Fee Agreement”). Absent special client instruction or data, the use of standard security measures, such as unencrypted email, do not violate an attorney’s ethical duties.
Instead, the key to managing ethical risks related to the disclosure of client information is to understand the weak spots in the technology, called “attack vectors,” and focus your efforts there. TechTarget, Attack Vector Definition (accessed Oct. 1, 2015). Keep an eye on our blog, and be sure to sign up for e-mail updates, as we’ll be addressing cloud-based attack vectors in depth over the next few weeks.